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IT Transformation 


asan 
ES webservi Noes 
h 
Private Clouds ni Azur 
Public Clouds 
Internet 
Enterprise On Remot 
remise End U e 


© Qualys 


... But creates new Challenges for Security 


Don't know how many assets you have 
Don't know when those assets are running 
Credential issues / Authentication failures 
Monthly / weekly scanning too slow [WannaCry] 
Can't scan remote users 
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Qualys Sensors 
Scalable, self-updating & centrally managed 


“©: 
Physical 
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Corporate 
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Continuous 
security and 
compliance 
scanning 
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Virtual 


Private cloud 
infrastructure 


Virtualized 
Infrastructure 


Continuous 
security and 
compliance 
scanning 
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Cloud/Container 


Commercial laaS & 
PaaS clouds 


Pre-certified in market 


place 


Fully automated with 


API orchestration 


Continuous security 


and compliance 
scanning 


© 


Cloud Agents 


Light weight, multi- 
platform 


On premise, elastic 
cloud & endpoints 


Real-time data 
collection 


Continuous evaluation 
on platform for 
security and 
compliance 
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Passive 


Passively sniff on 
network 


Real-time device 
discovery & 
identification 


network traffic 


rom network for 
analysis 


dentification of APT 


Extract malware files 
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API 


Integration with 
Threat Intel 
feeds 


CMDB 
Integration 


Log connectors 
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Qualys Cloud Agent Platform 
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Lightweight 
Software 
Agent 


(collects metadata only) 
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Functions in 


Cloud Native 
‘ a one Agent 
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Qualys Cloud Agent 


IT, Security, and Compliance Apps 
Delivered by a single agent 

Ø Asset Inventory 

Vulnerability Management 

Policy Compliance 

Indication of Compromise Detection 
Ø File Integrity Monitoring 

CE Patch Management 


Agent Modules 
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Qualys 
Platform 


Cloud Agent 


Central Management / API 


Qualys Suite of 
Applications 


Efficient Network Usage 
(Delta Processing average) 


Lightweight Metadata 
Collection (tunable) 


Windows, Linux, Mac, AIX 


6-50 KB / day 
~1-2% CPU 


3 MB application 
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D e p oy a n d New Activation Key ae 
M E] n E] g e A p p S O n Create a new activation key 


An activation key is used to install agents. This provides a way to group eid nts and better manage you unt. By default 
isi unlimited - i allows you u to add any number of agents at any tim 


One Cloud Agent |. aminami 


[| Enapoint Asset Ri 


End the fight with IT to deploy 
security agents! 


Provision Key for these applications 


ba FREE Sei ment Policy Compliance 
38218 Lic S Remaining 98225 Licenses Remainin g 


Enabling an application does not |. gw tet Mir oc cation ot compromise 


Remaining 98804 Licenses Remaining 


require redeployment or reboot | gJ oore 
of the system 


| Set limits 


Self-updating, version control, Si.) United Key 
elastic lifecycle management 
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Cloud Agent 
Extends 
Network Scanning 


© 


[tal 


No scan windows needed - always collecting 
Find vulnerabilities faster 

Detect a fixed vulnerability faster 

Many new Apps only available on Agent 


Best for assets that can't be scanned 
Unable to get credentials / authentication failures 
Remote systems in branch offices / NAT 

Roaming user endpoints 


Cloud / Elastic deployments 
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Cloud Agent CPU Tuning - Linux 


VM: < 1.2% CPU peak usage for less than 15 mins 


CPU Utilization ( Percent ) ic: | Average v | Time Range: t 12 Hours y | Period: | 15 Minutes v | © 


AWS EC2 


not allowed to 
scan nano, 


micro, or small 
instances 

using network 
scanning 


AWS t2.micro instance running Cloud Agent 
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Cloud Native - Collect Provider Metadata 


AWS EC2 Microsoft Azure SRI COTE IBM Cloud 
Platform 


accountld 

amild 
availabilityZone 
hostname 
hostnamePublic 
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instanceType 
kernelld 
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privatelpAddress 
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securityGrouplds 
securityGroups 
subnetld 

VPCld 


dnsservers 

ipv6 

location 
macAddress 
name 

offer 

osType 
privatelpAddress 
publiclpAddress 
publisher 
resourceGroupName 
tags 

subnet 
subscriptionld 
version 
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vmSize 


hostname 
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machineType 
network 
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projectlid 
projectldNo 
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Agent collects metadata locally without Connector 


Coming June 2019 


datacenterld 
deviceName 
publiclp 
privatelp 

id 
publicVlan 
domain 
privateVlan 
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2019 Cloud Agent Application Roadmap 


Cloud App 


Patch 
Management 


Vulnerability 
Management 


Policy 
Compliance 


Indication of 
Compromise 


Asset Inventory 


Q1 


Released 


General 
Availability 


User Defined 
Controls 


Q2 Q3 Q4 


Linux Mac 


Middleware Auto- 


Discovery 
Middleware Auto- 
Discovery Remediation 
Scan by Policy 
Threat Feed . Mac 
Linux 


Alerts/Actions Network IOCs 


Detect Unmanaged 
Assets on the Network 


Roadmap schedule subject to change 
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Announcing 


Available Now on Shared me | 


Cloud Agent Deployment Questions 


| wish to run Cloud Agent on assets that do not have 
direct access to the Internet due to security policies 


| am (A) not able to use existing proxies deployed by IT or 


(B) are not able to buy/manage an open-source or full- 
fledged commercial proxy 


| wish to optimize the bandwidth utilized by large Cloud 
Agents deployments and Patch Management 
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Qualys Cloud Agent Gateway (CAG) 


A Qualys-developed HTTP proxy/cache running on a new virtual 
appliance platform 


Separate appliance from the Virtual Scanner 
CAG appliances are downloaded and managed from Qualys Platform UI 


Cloud Agents use existing agent proxy capabilities to connect through 
CAG to connect to the Qualys platform 
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HOW it works as piatirm: 


CAG virtual appliance is downloaded from UI by 


customer, run locally, and registers appliance. @ 


Download 
Management 


Logging 


CAG Virtual Appliance 


Cloud Agent Gateway (CAG): 


Virtual appliance with Docker containers 
providing HTTPS Proxying, Caching, Load 
Balancing, High-Availability, and Logging. 


Agent 
communication 


Cloud Agent: 


Agents use existing HTTPS Proxy features to 
connect to CAG 


(if no proxy, fail over to direct connection) 
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CAG Deployment 


© Shared Platform ` 


Internet 


Customer Remote Network 


Direct Connection Network 


Restricted Access Network 
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Expanded CAG Use Cases 


Proxy/caching for Patch Management patch downloads 


Recommended/Required for on-premises agents 
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Qualys Indication of Compromise 


Bringing IOC to the Next Level 


Chris Carlson 
VP, Product Management, Qualys, Inc. 


Adversary TTPs are Changing 


Early 2010s 
Zero-day Vulnerabilities 
(Nation State, Industrial Espionage, Black Market) 


Today 


Rapidly weaponizing newly-disclosed vulnerabilities 
(Lesser Nation State, Industrial, Organized Crime) 
Good, Fast, Cheap - Pick all 3 
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Known Critical Vulnerabilities are 
Increasing 


6-7K vulnerabilities are disclosed noie 
each year* 


30-40% are ranked as “High” or 
“Critical” severity 


“Mean Time to Weaponize” 
(MTTW) is rapidly decreasing y/y 
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Adversaries are Evading Anti-Virus Detection 


Multiple Symantec Products CVE-2018-12238 Local Security Bypass 
Vulnerability 


Bugtraq ID: 105917 

CVE: CVE-2018-12238 

Remote: No Local: Yes 
Published: Nov 28 2018 12:00AM 
Credit: Qualys Malware Research Lab el PD RVARKY, 


ODETA EREI: 


Vulnerable: 

Symantec Norton AntiVirus 22.7 

Symantec Norton AntiVirus 21.0 

Symantec Norton AntiVirus 17.6.0.32 
Symantec Endpoint Protection Cloud 12.1.6 
Symantec Endpoint Protection Cloud 14 
Symantec Endpoint Protection 12.1.6 MP4 
Symantec Endpoint Protection 12.1.6 

+ 95 other products 
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Vulnerability Management Lifecycle 


Asset Vulnerability 
Inventory _ Management 
Threat Risk and 
Patch TT Prioritization 
Management 
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Get Proactive - Reduce the Attack Surface 


on Immediately Identify Vulnerabilities in Production 
PM Notify IT Asset Owner to Patch / Stop the Instance 
Change Configuration to Limit Unauthorized Access 


CSA Control Network Access / Cloud Security Groups 
IOC Add Detection and Response - Endpoint 
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Proactively Hunt, Detect, and Respond 


Indication of 


ac 2 P i 

$ Ge assive Network 

Compromise — ff & Ta ee s 
E \ = ensor 
a Z 

Detect IOCs, IOAs, and ana M L 
verify Threat Intel | 5, 9 ò What new devices are on the 
N % N x network? Are there 


new/different traffic patterns? 
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Qualys IOC - Visibility Beyond Anti-Virus 


Threat Intel Verification 


Threat Intel Feeds / Mandated to Verify 
“Is this hash, registry, process, mutex on my network?” 


API & 


Alerting 
Hunting / 


Find Suspicious Activity 


Indicator of Activity hunting with pre-built and 
user-defined queries 


Detect Malware missed 
by Anti-Virus 


Using Qualys Malware Labs behavior models and 
leading commercial Threat Feed 


“Look Back” Investigation 
after a known breach 


Go back over months of stored endpoint events and 
find the first occurrence of a breach 
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Threat Intel Verification 


D Search for the file hash here... 


NotPetya Ransomware spreading using ETERNALBLUE Vulnerability and Credential Stealing 


October 6, 2017 


On June 27, 2017, NCCIC [13] was notified of Petya malware events occurring in multiple countries and © Qualys. Enterprise 
affecting multiple sectors. This variant of the Petya malware—referred to as NotPetya—encrypts files 


5 i i Indication of Compromise SHBOARD HUNTING c S SSETS Qualys Demo (quays_ad) 
with extensions from a hard-coded list. P 


Additionally, if the malware gains administrator rights, it encrypts the master boot record (MBR), making Hunting 
the infected Windows computers unusable. NotPetya differs from previous Petya malware primarily in 
its propagation methods using the ETERNALBLUE vulnerability and credential stealing via a modified d926e76030f19f1f7efðb3cd1a4e80f9 Last 7 Days Y 


2 


Total Event- 


version of Mimikatz. 
Technical Details 


Anti-Virus Coverage 


VirusTotal reports 0/66 anti-virus vendors have signatures for the credential stealer as of the 


date of this report 
NO REMAINING FILTERS View related FIM Event: 


OBJECT ASSET 


Delivery - MDS: 71b6a493388e7d0b40c83ce903bc6b04 
Installation — MD5: 7e37ab34ecdcc3e77e24522ddfd4852d ee E eee Rene ae 
Credential Stealer (new) — MD5: d926e76030f19f1f7ef0b3cd1a4e80f9 


svchost.exe WIN7-320860-T44 
Secondary Actions 
NotPetya leverages multiple propagation methods to spread within an infected network. 
According to malware analysis, NotPetya attempts the lateral movement techniques below: 


EN Threat Intelligence lists attack © Find the object there. 
information ... 


Detect Malware Missed by Anti-Virus 


UK Government Contractor : 
- “Big 4” Anti-virus installed -omnecsamnerroncowt ooo 
- Qualys Agent for Vulnerability Mgmt 
- Added Qualys IOC on existing agents 
- 256 hosts 


dione 


Qualys IOC discovered... (ae eea 
- Dridex Banking Trojan (51) 

- 4 Domain Controllers infected 
- Backdoors (7) installed due to 


p h İS h i n g ca m pa ig n S | ERS aa kaa PE MALICIOUS POTENTIALLY UNWANTED APPS - BY HOSTNAME 
- Netcat (8) root kits installed ee 
- 46 PUAs installed 46 


lexus95400 
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Find Malware using Stolen Code-Signing Certificates 


July 2018 March 2019 
Certificates stolen from D-Link and others Hackers dropped a secret backdoor in Asus’ 
used by cyberespionage group update software 


cA H id q 
welivesecurity DAC er] General Digital Signatures Security Details Previous Versions a Certificate x 


General Details Certification Path 


Digital Signature Details ? x 


General 
Advanced % Certificate Information 


» | Digital Signature Information 
This digital signature is OK. 


This certificate is intended for the following purpose(s): 


+ Ensures software came from software publisher 
+ Protects software from alteration after publication 


Certificates stolen from 
Taiwanese tech-companies 


i 
Name: \ASUSTeK Computer Inc.| 


E-mail: Not available * Refer to the certification authority's statement for details. 


misused in Plead malware 
campaign 


Signing time: Not available Issued to: ASUSTeK Computer Inc. 


View Certificate 
Issued by: DigiCert SHA2 Assured ID Code Signing CA 


Valid from 6/20/2018 to 6/22/2021 


D-Link and Changing Information Technologies code-signing certificates stolen and abused by highly 
skilled cyberespionage group focused on East Asia, particularly Taiwan 


Install Certificate... Issuer Statement 


OK 


https://www. welivesecurity.com/2018/07/09/certificates- 
stolen-taiwanese-tech-companies-plead-malware- 
campaign/ 


https://techcrunch.com/2019/03/25/asus-update- 
backdoor/ © Gare 


Real-Time Responses - Rules, Search, Widgets 


Indication of Compromise Y DASHBOARD INCIDENTS HUNTING ASSETS RULES 


Activity Rule Manager Actions 


Q Search for alerts... 22 Apr 2019 1... ¥ 


2.48K 


Total Activities 


18:00 


RULE NAME 1-50 of 2484 


RL score LT 10 
All malware infec... 


All malware infections © Success _ Post to Slack Qualys Demo 
ACTION NAME Ri seore> 0 To 


23 minutes ago 

Verifying _RL_slac... 

Verifying_RL_Em... All malware infections © Success _ Send Email to Security ... Qualys Demo 
Post to Slack RL score > 0 23 minutes ago 
Send Email to Se... 


All malware infections | Success | Post to Slack Qualys Demo 
EMAIL RECIPIENTS RL score > 0 pren 
priya.porwal2992... 


SAR EAN All malware infections | Success _ Post to Slack Qualys Demo 


RL score > 0 23 minutes ago 


DEMO 
Indication of Compromise 


Threat Intel Verification / Hunting 


Malware Detection 
Alerting 
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